SlideShare a Scribd company logo

Lecture 7 certificates

R
rajakhurram

The document discusses X.509 certificates which contain a user's public key signed by a Certificate Authority (CA). Certificates are used in technologies like S/MIME, IPsec, SSL/TLS and SET. The document also discusses how certificates are obtained from a CA, how they can be revoked, CA hierarchies, authentication procedures using certificates, and the Internet Key Exchange (IKE) protocol which negotiates security associations for IPsec VPNs using Diffie-Hellman key exchange.

TechnologyEducation
Related topics:
Network Security
1 of 19
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Certificates
X.509 Authentication Service • Distributed set of servers that maintains a database about users. • Each certificate contains the public key of a user and is signed with the private key of a CA. • Is used in S/MIME, IP Security, SSL/TLS and SET. • RSA is recommended to use. 2 ET1318 - Network Security
3 ET1318 - Network Security
4 ET1318 - Network Security
Public-Key Certificate Use 5 ET1318 - Network Security
X.509 Formats 6 ET1318 - Network Security
Obtaining a User’s Certificate • Characteristics of certificates generated by CA:  Any user with access to the public key of the CA can recover the user public key that was certified.  No part other than the CA can modify the certificate without this being detected. 7 ET1318 - Network Security
Revocation of Certificates • Reasons for revocation:  The users secret key is assumed to be compromised.  The user is no longer certified by this CA.  The CA’s certificate is assumed to be compromised. 8 ET1318 - Network Security
CA Hierarchy 9 ET1318 - Network Security
Authentication Procedures 10 ET1318 - Network Security
Internet Key Exchange (IKE) • Protocol to manage keys in IPsec by negotiating security associations between a set of peers • Based on RFC 2409 • Using a standard Diffie-Hellman exchange to obtain a shared secret • Also used to negotiate the encryption, authentication, and other cryptographic primitives that the VPN needs to create a SA • Derives from other key-exchange protocols  Internet Security Association and Key Management Protocol - ISAKMP  Oakley Key Determination protocol - Oakley  SKEME 11
IKE use in IPsec 12 ET1318 - Network Security
IKE and IPSec in Cisco ISO 13 ET1318 - Network Security
ISAKMP • Defines procedures and packet formats to negotiate, establish, modify, and delete SAs • UDP or TCP port 500 • Establishment of SAs by using ISAKMP are achieved in two phases 1. Peers authenticate each others and establish a secure communication channel 2. ISAKMP negotiates VPN SAs 14 ET1318 - Network Security
ISAKMP Cookies • IKE’s goal is to prevent against DoS-attacks • An easy DoS attack against IKE could be to flood an IKE node with IKE packets with spoofed source address. Hence forcing the IKE node to do expensive, but useless, Diffie-Hellman calculations • ISAKMP uses cookies to identify the source before doing the expensive Diffie-Hellman calculation • The ISAKMP node sends a cookie that the receiver must bounce in order to start Diffie-Hellman key exchange 15 ET1318 - Network Security
ISAKMP 16 ET1318 - Network Security
ISAKMP Payload Types • Key Exchange Payload • Certificate Payload (transfers a public key certificate) • Notification Payload (error messages) • Responder-Lifetime • Hash Payload • Signature Payload 17 ET1318 - Network Security
ISAKMP Payload Example 18 ET1318 - Network Security
Oakley • Three authentication methods:  Digital signatures  Public-key encryption  Symmetric-key encryption 19 ET1318 - Network Security

More Related Content

PDF
Protegendo sua cloud
Cisco do Brasil
 
PPTX
Itn6 instructor materials_chapter1
limenih muluneh
 
PDF
Bloombase Spitfire Link Encryptor Server Brochure
Bloombase
 
PDF
Bloombase SpitfireOS Specifications
Bloombase
 
PDF
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
Fatih Ozavci
 
PDF
SecurityRI Wifi Security / Secure your Network
Gian Gentile
 
PDF
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
Fatih Ozavci
 
PPTX
Ccna security
umesh patil
 
Protegendo sua cloud
Cisco do Brasil
 
Itn6 instructor materials_chapter1
limenih muluneh
 
Bloombase Spitfire Link Encryptor Server Brochure
Bloombase
 
Bloombase SpitfireOS Specifications
Bloombase
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
Fatih Ozavci
 
SecurityRI Wifi Security / Secure your Network
Gian Gentile
 
VoIP Wars: Destroying Jar Jar Lync (Filtered version)
Fatih Ozavci
 
Ccna security
umesh patil
 

What's hot (20)

PDF
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Fatih Ozavci
 
PPT
Asa sslvpn security
Jack Melson
 
PDF
The-Cisco-Aironet-1130AG-Series-Access-Point-Is-An95
Justrassity996
 
PDF
Departed Communications: Learn the ways to smash them!
Fatih Ozavci
 
PPTX
lmplementing Firewall Technologies
Abdulrahman AL-shobaki
 
PDF
Hacking SIP Like a Boss!
Fatih Ozavci
 
PPTX
Developing an IoT System FIWARE Based from the Scratch
FIWARE
 
PPT
CCNA Security - Chapter 2
Irsandi Hasan
 
PDF
VoIP Wars: The Phreakers Awaken
Fatih Ozavci
 
PDF
Fortigate fortiwifi-80f-series
Julian Ernesto Martinez Oliva
 
PDF
Maemo 6 Platform Security
Peter Schneider
 
DOC
Vikash_mani
Vikash Mani
 
PDF
Open ssl certificate (https) for hotspot mikrotik
Aldi Nor Fahrudin
 
PDF
z/OS Authorized Code Scanner
Luigi Perrone
 
DOC
Network Engineer
varma ksn
 
PDF
DEFCON 23 - Fatih Ozavci - the art of voip workshop
Felipe Prado
 
PDF
CipherWire Networks - SafeNet KeySecure
cnnetwork
 
PPT
CCNA Security 012- cryptographic systems
Ahmed Habib
 
DOCX
Cisco asa 5500 series adaptive security appliances
IT Tech
 
PDF
02 ipv6-cpe-panel security
Haris Padinharethil
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Fatih Ozavci
 
Asa sslvpn security
Jack Melson
 
The-Cisco-Aironet-1130AG-Series-Access-Point-Is-An95
Justrassity996
 
Departed Communications: Learn the ways to smash them!
Fatih Ozavci
 
lmplementing Firewall Technologies
Abdulrahman AL-shobaki
 
Hacking SIP Like a Boss!
Fatih Ozavci
 
Developing an IoT System FIWARE Based from the Scratch
FIWARE
 
CCNA Security - Chapter 2
Irsandi Hasan
 
VoIP Wars: The Phreakers Awaken
Fatih Ozavci
 
Fortigate fortiwifi-80f-series
Julian Ernesto Martinez Oliva
 
Maemo 6 Platform Security
Peter Schneider
 
Vikash_mani
Vikash Mani
 
Open ssl certificate (https) for hotspot mikrotik
Aldi Nor Fahrudin
 
z/OS Authorized Code Scanner
Luigi Perrone
 
Network Engineer
varma ksn
 
DEFCON 23 - Fatih Ozavci - the art of voip workshop
Felipe Prado
 
CipherWire Networks - SafeNet KeySecure
cnnetwork
 
CCNA Security 012- cryptographic systems
Ahmed Habib
 
Cisco asa 5500 series adaptive security appliances
IT Tech
 
02 ipv6-cpe-panel security
Haris Padinharethil
 
Ad

Viewers also liked (9)

PDF
Lecture malicious software
rajakhurram
 
PPT
Lecture 11 wifi security
rajakhurram
 
PPTX
Lecture 10 intruders
rajakhurram
 
PPT
Lecture 5 ip security
rajakhurram
 
PPT
Lecture 9 key distribution and user authentication
rajakhurram
 
PDF
Malicious software
rajakhurram
 
PPT
Lecture 12 malicious software
rajakhurram
 
PPT
Lecture 4 firewalls
rajakhurram
 
PPT
Lecture 6 web security
rajakhurram
 
Lecture malicious software
rajakhurram
 
Lecture 11 wifi security
rajakhurram
 
Lecture 10 intruders
rajakhurram
 
Lecture 5 ip security
rajakhurram
 
Lecture 9 key distribution and user authentication
rajakhurram
 
Malicious software
rajakhurram
 
Lecture 12 malicious software
rajakhurram
 
Lecture 4 firewalls
rajakhurram
 
Lecture 6 web security
rajakhurram
 
Ad

Similar to Lecture 7 certificates (20)

PDF
Security intermediate practical cryptography_certs_and 802.1_x_rich langston...
Aruba, a Hewlett Packard Enterprise company
 
PPTX
crypto.pptx
Sameenafathima4
 
PPTX
crypto.pptx
Sameenafathima4
 
PPT
Phifer 3 30_04
Ayano Midakso
 
PPTX
Cryptography and network security
PriyadharshiniVS
 
PPTX
Wpa3
Bhavya Dashora
 
PPTX
Module 8 - Ccna - Pre.pptx
AliMohamed855266
 
PDF
20 palo alto site to site
Mostafa El Lathy
 
PPT
Information Security Lesson 9 - Keys - Eric Vanderburg
Eric Vanderburg
 
PPTX
cryptography.pptx
Mvidhya9
 
PPTX
Shanghai Breakout: Wireless LAN Security Fundamentals
Aruba, a Hewlett Packard Enterprise company
 
PPTX
Wi-Fi Security Fundamentals
Aruba, a Hewlett Packard Enterprise company
 
PPT
Improved authentication & key agreement protocol using elliptic curve cryptog...
CAS
 
PDF
Using Hard Disk Encryption and Novell SecureLogin
Novell
 
PDF
Sullivan handshake proxying-ieee-sp_2014
Cloudflare
 
PPT
Unit08
Nurul Nadirah
 
PPT
SSL & TLS Architecture short
Avirot Mitamura
 
PPTX
IBM Secret Key management protoco
gori4
 
PPT
ch1 eriht eriotery erogyteip ergy7.ppt
SonukumarRawat
 
PPT
chap17 computer and programming in cpp.ppt
ubaidullah75790
 
Security intermediate practical cryptography_certs_and 802.1_x_rich langston...
Aruba, a Hewlett Packard Enterprise company
 
crypto.pptx
Sameenafathima4
 
crypto.pptx
Sameenafathima4
 
Phifer 3 30_04
Ayano Midakso
 
Cryptography and network security
PriyadharshiniVS
 
Wpa3
Bhavya Dashora
 
Module 8 - Ccna - Pre.pptx
AliMohamed855266
 
20 palo alto site to site
Mostafa El Lathy
 
Information Security Lesson 9 - Keys - Eric Vanderburg
Eric Vanderburg
 
cryptography.pptx
Mvidhya9
 
Shanghai Breakout: Wireless LAN Security Fundamentals
Aruba, a Hewlett Packard Enterprise company
 
Wi-Fi Security Fundamentals
Aruba, a Hewlett Packard Enterprise company
 
Improved authentication & key agreement protocol using elliptic curve cryptog...
CAS
 
Using Hard Disk Encryption and Novell SecureLogin
Novell
 
Sullivan handshake proxying-ieee-sp_2014
Cloudflare
 
Unit08
Nurul Nadirah
 
SSL & TLS Architecture short
Avirot Mitamura
 
IBM Secret Key management protoco
gori4
 
ch1 eriht eriotery erogyteip ergy7.ppt
SonukumarRawat
 
chap17 computer and programming in cpp.ppt
ubaidullah75790
 

Recently uploaded (20)

PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Encapsulation theory and applications.pdf
gurumoop
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 

Lecture 7 certificates

  • 2. X.509 Authentication Service • Distributed set of servers that maintains a database about users. • Each certificate contains the public key of a user and is signed with the private key of a CA. • Is used in S/MIME, IP Security, SSL/TLS and SET. • RSA is recommended to use. 2 ET1318 - Network Security
  • 5. Public-Key Certificate Use 5 ET1318 - Network Security
  • 6. X.509 Formats 6 ET1318 - Network Security
  • 7. Obtaining a User’s Certificate • Characteristics of certificates generated by CA:  Any user with access to the public key of the CA can recover the user public key that was certified.  No part other than the CA can modify the certificate without this being detected. 7 ET1318 - Network Security
  • 8. Revocation of Certificates • Reasons for revocation:  The users secret key is assumed to be compromised.  The user is no longer certified by this CA.  The CA’s certificate is assumed to be compromised. 8 ET1318 - Network Security
  • 9. CA Hierarchy 9 ET1318 - Network Security
  • 10. Authentication Procedures 10 ET1318 - Network Security
  • 11. Internet Key Exchange (IKE) • Protocol to manage keys in IPsec by negotiating security associations between a set of peers • Based on RFC 2409 • Using a standard Diffie-Hellman exchange to obtain a shared secret • Also used to negotiate the encryption, authentication, and other cryptographic primitives that the VPN needs to create a SA • Derives from other key-exchange protocols  Internet Security Association and Key Management Protocol - ISAKMP  Oakley Key Determination protocol - Oakley  SKEME 11
  • 12. IKE use in IPsec 12 ET1318 - Network Security
  • 13. IKE and IPSec in Cisco ISO 13 ET1318 - Network Security
  • 14. ISAKMP • Defines procedures and packet formats to negotiate, establish, modify, and delete SAs • UDP or TCP port 500 • Establishment of SAs by using ISAKMP are achieved in two phases 1. Peers authenticate each others and establish a secure communication channel 2. ISAKMP negotiates VPN SAs 14 ET1318 - Network Security
  • 15. ISAKMP Cookies • IKE’s goal is to prevent against DoS-attacks • An easy DoS attack against IKE could be to flood an IKE node with IKE packets with spoofed source address. Hence forcing the IKE node to do expensive, but useless, Diffie-Hellman calculations • ISAKMP uses cookies to identify the source before doing the expensive Diffie-Hellman calculation • The ISAKMP node sends a cookie that the receiver must bounce in order to start Diffie-Hellman key exchange 15 ET1318 - Network Security
  • 16. ISAKMP 16 ET1318 - Network Security
  • 17. ISAKMP Payload Types • Key Exchange Payload • Certificate Payload (transfers a public key certificate) • Notification Payload (error messages) • Responder-Lifetime • Hash Payload • Signature Payload 17 ET1318 - Network Security
  • 18. ISAKMP Payload Example 18 ET1318 - Network Security
  • 19. Oakley • Three authentication methods:  Digital signatures  Public-key encryption  Symmetric-key encryption 19 ET1318 - Network Security